Vulnerability Disclosure Policy
PURPOSE
NEXA is committed to protecting the confidentiality, integrity, and availability of its information assets.
This policy establishes a controlled process for the reporting and management of security vulnerabilities affecting systems and services owned, operated, or managed by NEXA, and enables external parties to report potential vulnerabilities identified through normal use or inadvertent observation.
This policy does not authorize security testing, penetration testing, scanning, or any form of investigative activity unless explicitly approved in writing by NEXA.
SCOPE
This Policy applies to security vulnerabilities discovered in information systems, applications, services, and infrastructure that are owned, operated, or managed by NEXA.
AUTHORIZATION
NEXA does not authorize security testing, vulnerability scanning, penetration testing, or other investigative activity against its systems without prior written authorization.
Submission of a vulnerability report does not grant authorization to access, test, scan, exploit, or otherwise interact with NEXA systems beyond their intended and authorized use. Nothing in this Policy constitutes consent to conduct security testing or to access systems or data without authorization.
GOOD FAITH REPORTING
NEXA encourages the responsible reporting of vulnerabilities identified through normal authorized use or inadvertent observation. If a reporter acts in good faith, complies with this Policy, promptly reports the issue, avoids intentionally accessing, modifying, retaining, or disclosing data, avoids disrupting services, and ceases any activity upon discovering sensitive information, NEXA does not intend to pursue legal action solely for submitting such a report. This statement does not authorize security testing, penetration testing, vulnerability scanning, exploitation, or any activity otherwise prohibited by this Policy or by applicable law.
IN SCOPE
Examples include:
- Public-facing websites and web applications that are owned, operated, or managed by NEXA.
- APIs and cloud-hosted services provided by NEXA.
- Authentication, authorization, and session handling mechanisms.
- Unintentionally exposed NEXA-controlled administrative interfaces discovered on the public internet.
OUT OF SCOPE
The following activities are not authorized under this Policy:
- Denial-of-Service (DoS/DDoS) testing or stress testing.
- Social engineering, phishing, or physical security testing.
- Exploitation of vulnerabilities to access, modify, download, retain, or delete data beyond normal use.
- Credential stuffing or brute force attacks.
- Automated scanning or exploitation.
- Attempts to access, download, or retain data.
- Testing requiring credentials not lawfully obtained.
- Systems or services owned by third parties not under NEXA control.
- Customer, partner, or third-party systems.
- Duplicate reports for issues already reported to NEXA. NEXA may still acknowledge receipt and may request additional details.
DEFINITIONS
- Security vulnerability: A weakness that could be exploited to compromise confidentiality, integrity, or availability.
- Reporter: Any individual or organization that reports a potential security vulnerability to NEXA.
- Sensitive data: Information that is confidential, regulated, personal, or otherwise protected, including credentials, personal data, customer data, and proprietary information.
- NEXA systems: Systems, services, applications, and infrastructure owned, operated, or managed by NEXA and explicitly in scope under this Policy.
- Third party: Any entity not owned or controlled by NEXA, including vendors, partners, customers, and external service providers.
ABBREVIATIONS
- ISMS: Information Security Management System covering information security, cyber security, and privacy protection.
RESPONSIBLE DISCLOSURE EXPECTATIONS
Individuals reporting potential vulnerabilities must:
- Act in good faith.
- Avoid accessing, modifying, or deleting data.
- Avoid disrupting systems or services.
- Avoid attempting to escalate privileges or gain unauthorized access.
- Immediately cease activity if sensitive data is accessed.
- Not conduct active security testing unless explicitly authorized in writing.
- Not publicly disclose vulnerabilities without prior written consent from NEXA.
REPORTING VULNERABILITY
Vulnerabilities should be reported promptly using one of the following:
Email: security@nexamobility.com
If you need to send sensitive details, request an approved secure transmission method, such as encrypted email, by contacting the security team at the email address above.
Reports must not include sensitive personal data or production credentials unless a secure transmission method is coordinated with NEXA. If a report inadvertently includes personal information or other sensitive data, NEXA will handle such information in accordance with applicable law and NEXA's Privacy Policy.
Suggested report format
- Summary: What you found and why it matters.
- Asset: URL, application, API endpoint, and environment, if known.
- Steps to reproduce: Clear, numbered steps based on normal use or inadvertent observation.
- Impact: What risk or exposure may exist.
- Evidence: Screenshots, logs, or request/response samples, as applicable, excluding sensitive personal data or production credentials unless secure transmission has been coordinated.
- Contact: Preferred email for follow-up.
Reports should include, when possible:
- Description of the vulnerability.
- Affected system, service, or endpoint.
- Observed potential security impacts.
- Supporting evidence that does not include sensitive personal data or production credentials unless a secure transmission method is coordinated with NEXA.
VULNERABILITY MANAGEMENT PROCESS
NEXA manages vulnerabilities according to documented and auditable processes aligned with ISO standards:
- Receipt & Acknowledgment – Confirmation of report receipt.
- Issue / Vulnerability Description – Documentation of the reported issue, affected system, and available evidence.
- Triage & Validation – Confirmation and classification of the issue.
- Risk Assessment – Evaluation of severity and business impact.
- Investigation – Review of technical details and affected systems.
- Root Cause Determination – Identification of the underlying cause where applicable.
- Containment & Remediation – Development and deployment of corrective actions or mitigations.
- Corrective Action – Documentation and tracking of actions taken to address the issue.
- Preventive Action – Identification of actions to reduce recurrence where applicable.
- Verification of Effectiveness – Validation that remediation or mitigation is effective.
- Closure – Communication of resolution to the reporter, as appropriate.
NEXA prioritizes remediation based on validated risk and business impact, using an industry-standard scoring approach such as CVSS as an input where appropriate.
| Severity | Examples (non-exhaustive) | Target remediation window (after validation) |
| Critical | Remote code execution, privilege escalation/auth bypass, widespread data exposure. | As soon as practicable; expedited handling and mitigation prioritized. |
| High | Significant data access, serious injection flaws | Target fix or mitigation in a defined timeframe based on risk and complexity. |
| Medium | Limited data exposure, moderate misconfigurations | Planned remediation aligned to release cycles. |
| Low | Minor information disclosure, best-practice deviations. | Remediation scheduled as appropriate |
All vulnerabilities are logged, tracked, and reviewed in accordance with the NEXA ISMS.
CONFIDENTIALITY & COORDINATED DISCLOSURE
NEXA will use reasonable efforts to treat vulnerability reports as confidential security information, subject to applicable law, regulatory obligations, contractual obligations, court orders, and legitimate business requirements.
Vulnerability information must not be publicly disclosed without prior written authorization from NEXA.
NEXA aims to acknowledge receipt promptly and work with the reporter to agree on any disclosure timeline. Unless otherwise agreed in writing, NEXA’s default objective is to remediate or implement mitigations prior to any public disclosure.
Disclosure timelines will be coordinated mutually, considering:
- Severity and exploitability.
- Regulatory obligations.
- Customer and operational risk.
RESPONSE TIME TARGETS
Response timelines may vary based on complexity, risk, and available resources. NEXA aims, but does not guarantee, to acknowledge vulnerability reports within three (3) business days.
- Provide status updates as appropriate.
- Prioritize remediation based on severity, exploitation likelihood, and operational constraints, with expedited handling for critical issues.
RECOGNITION & REWARDS
NEXA does not offer financial rewards for vulnerability reports.
At NEXA’s discretion, NEXA may provide nonmonetary recognition, such as acknowledgment, with the reporter’s consent.
CONTACT
For questions regarding this Policy: security@nexamobility.com
NO CONTRACTUAL RIGHTS
This Policy is intended solely to facilitate the responsible reporting of potential security vulnerabilities. It does not create any contractual relationship, legal rights, or obligations between NEXA and any reporter. NEXA reserves the right to modify, suspend, or withdraw this Policy at any time without notice.